At Acko, Security is the Top Priority!

We put a lot of effort into our application, infrastructure, and processes to ensure that Acko is safe and secure for our customers to buy and claim policies online. Acko’s security team thrives hard keep customer’s data secure.

If you are a bug hunter, security researcher, or a white hat hacker, Acko is extending you an opportunity to show your skills in identifying security vulnerabilities on, and get rewarded/recognized in return.

If you think you can find security issues that have the potential to be exploited, we appreciate your help in letting us know as soon as possible.

Where to Check

For any security vulnerabilities identified in our website (https://www.acko.com/) or Acko App (Android and iOS).

Where to Report

Send an email to [email protected] with the complete details of the identified vulnerability. It would be easy for our security team if you can also include a POC code, video, detailed screenshots for reproducing the vulnerability more quickly.

Eligibility

Employees (On-role, Off-role and Ex-employee*) of Acko or are related to an employee (parent, sibling, spouse), Business partner of Acko - are not eligible for the bounty bug program.

*Ex-employee – Can only report bug post separation of least 2 years.

What is not Encouraged

• Duplicate vulnerability : If the vulnerability is already reported by someone else before you the vulnerability will not be considered
• Do not test for Denial of Service (DOS), Distributed Denial of Service (DDOS), spams, social engineering
• Do not proceed further if you get a system access, this can disrupt our systems and services
• Do not use automated tools which can create significant traffic and disrupt our services
• Self XSS
• Missing Cookie attributes
• Content Security Policy.
• Server information disclosure / software version disclosure / unhandled error messages.
• Best practice TLS/ SSL configuration.
• Brute Force
• Physical attempts against Acko property or physical access to a user's device are strictly prohibited.

Reward Guidelines

All the valid security bug qualifies for rewards based on the severity of the identified bug. The severity of the bug, and the corresponding monetary reward/recognition depends on the criticality of the issue and will be determined at the sole discretion of Acko’s Security team.

Disclaimer

• Publicly disclose of any bug is prohibited. Without express consent of Acko, fixed bugs will not be disclosed.
• Acko will not be responsible for non-adherence or violation of laws and regulation/norms.
• Access to any user’s data, modification or deletion without express consent is strictly prohibited.
• Violation of user privacy or use of Acko data is strictly prohibited.
• If any privacy violation is inadvertently caused by researchers while testing, they are liable to disclose it immediately to us.
• Exploiting vulnerability for own or others benefit would be considered as an attack to Acko’s website, infrastructure and services for which Acko holds rights to take legal actions.
• Disruption to Acko production systems or destruction of data during security testing is strictly prohibited.
• Must be abstained from exploiting a security vulnerability.
• Acko only gives rewards/recognition in the form of Monetary benefits/Hall of Fame/Goodies. Rewards/Recognition will only be given based on the criticality of the vulnerability. Acko reserves its absolute right to define the criticality of the vulnerability and alter/update the program detail without any prior notice.
• Bug disclosure communications with Acko’s Security Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.